Update Debian SSL protocols and ciphers to match defaults

ekohl · ekohl · commit 67a8a1799ee7 · 2022-10-26T19:49:27.000+02:00
Debian 10 and Ubuntu 18.04 (oldest of supported Debian-based distros)
default to these values. This gives a safer out-of-the-box experience.
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -727,6 +727,10 @@
     $ssl_protocol = []
     $ssl_cipher = 'PROFILE=SYSTEM'
     $ssl_proxy_cipher_suite = 'PROFILE=SYSTEM'
+  } elsif $facts['os']['family'] == 'Debian' {
+    $ssl_protocol = ['all', '-SSLv3']
+    $ssl_cipher = 'HIGH:!aNULL'
+    $ssl_proxy_cipher_suite = undef
   } else {
     $ssl_protocol = ['all', '-SSLv2', '-SSLv3']
     $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES'
diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb
@@ -25,6 +25,8 @@ class { 'apache':
       it { is_expected.to be_file }
       if os[:family].include?('redhat') && os[:release].to_i >= 8
         it { is_expected.not_to contain 'SSLProtocol' }
+      elsif ['debian', 'ubuntu'].include?(os[:family])
+        it { is_expected.to contain 'SSLProtocol all -SSLv3' }
       else
         it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' }
       end
diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
@@ -69,7 +69,7 @@
     it { is_expected.to contain_class('apache::params') }
     it { is_expected.to contain_apache__mod('ssl') }
     it { is_expected.not_to contain_package('libapache2-mod-ssl') }
-    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv2 -SSLv3}) }
+    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv3}) }
   end
   context 'on a FreeBSD OS' do
     include_examples 'FreeBSD 9'
